I get asked all the time to “predict” the future of cybercrime. What will be the next big cyber attack? What will be the next paradigm platform shift that attackers will target? And so on.
And in general, I am nauseated by the question.
Why?
Because there is no future. The future is now. Our biggest future threats are the same threats as we face today: social engineering and unpatched software. It has been that way for the entirety of computers. We do see momentary blips of attack types that are not those things (e.g., DOS boot sector viruses, password guessing, USB autorun malware, misconfigurations, etc.), but social engineering and unpatched software have been the number one and number two ways that devices and networks are compromised and there is nothing on the horizon that looks capable of changing that.
Want to most efficiently stop hackers and malware? Concentrate more aggressively on mitigating social engineering and patch your software (and firmware). That is literally over 90% of the job. It is cybersecurity defenders’ inability to focus on that reality and respond correctly that allows hackers and malware to be as successful as it is today.
So, when anyone asks me what I think next year will look like, as compared to this year. Or what types of attacks I think we need to be worried about because many employees now work from home or use their personal devices – I just want to scream!
There are no new attacks. Your biggest worries are what you should have been worried about for decades. Get on it!
But what is changing is the speed of attacks.
Back when I first started in computer security, in 1987, the Internet was not the Internet. It was around, but it consisted of a few thousand nodes. Most people did not use it. Instead, most of who interacted with other people and networks used dial-up bulletin board systems (BBSs). I remember being amazed that an email I sent to someone on the other side of the world could get a reply within a day. Wow!
But even back then, malware and hackers were able to impact people. Early computer viruses (e.g., Apple Elk Cloner, Pakistani Brain, Stoned, Jerusalem, etc.) were able to infect millions of people. Social engineering scams worked just as well as they work today, but it took a long time in the pre-Internet world…perhaps a year or over a year, to spread around the world.
The Internet changed that.
Now, hackers and malware could spread social engineering scams and exploit unpatched software significantly faster. Email-based malware programs like the Iloveyou worm and the Melissa virus spread around the world in days. MS Blaster spread in two days.
The 2003 SQL Slammer (https://en.wikipedia.org/wiki/SQL_Slammer) worm holds the speed record. It infected nearly every unpatched victim’s device within 10 minutes of it being launched. It was so successful that it was too successful. It shutdown everyone’s network. SQL Slammer could only exploit unpatched Microsoft SQL instances…for a patch that had been released nearly six months before. Imagine, people…banks…almost everyone…did not patch their systems even after nearly half a year. That was the world then.
SQL Slammer and MS-Blaster changed that. You could not take your time patching now. Internet worms and threats could exploit unpatched devices pretty quickly. From those experiences, we all learned that we needed to patch critical, likely-to-be, exploited vulnerabilities soon as possible. Now, delaying over two weeks to deploy a patch against an in-the-wild threat is considered negligent.
So, what does the future of cybersecurity attacks look like? Same as today, just more speed.
Social engineering scammers are sending out new phishing emails based on today’s news events the same day as the latest newsworthy event. When rumors of SVB bank going under from a bank run started to surface, the phishing attacks followed the same day. Now you cannot be assured if that bank warning notice is from your bank or a scammer. If it is super quick, the same day, I would put my money on the scammer. Real businesses have a hard time responding to their customers in the same day.
Attackers will be using vulnerability scanning services, like Shodan, to locate new potential victims. Artificial intelligence-driven services and bots will seek out potentially vulnerable victims as fast as it is machine-language possible. When the AI-driven bot finds a defense or obstacle to overcome, it will more likely do it automatically. No need to wait on a human-based adversary to get involved.
A good example is users utilizing more multifactor authentication (MFA). It used to be that any user instance where they used MFA was enough to prevent most automated malware attacks. Not anymore. Malware has been looking for and stealing or bypassing MFA for decades. Today, we have automated malware that looks for over 400 banking/financial login credentials and includes modules to look for and grab MFA codes. What used to take the involvement of a human adversary is now automated. Expect that trend to continue to infinity.
The Future
The future is pretty much guaranteed, and it will absolutely change the way we defend computers. It's everything faster, both attacks and defenses. Instead of attacks taking days or weeks, it will be minutes. And that changes everything.
If an attack can exploit our systems within seconds of learning about a new vulnerability, and that happens most of the time, there is no time to patch. Or you have to patch within seconds to minutes. Waiting hours or days will be negligent.
What will that mean? Well, it means inline intrusion detection that can spot (near) “zero-day” attacks. We have to have AI-driven systems that can spot brand new attacks, that look like attacks, before they are “officially” defined as attacks. There is no other solution.
Social engineering wise, we already have the necessary defense…teach all your co-workers (and family and friends) how to spot the signs of a social engineering attack. The two biggest traits are an unexpected message, no matter how it arrived (be it email, the web, social media, chat, phone call, in-person, etc.) asking you to do something that you have never done before for that sender. Everyone has to start getting a default level of healthy skepticism on any message that meets those two traits, at least until the inline inspection systems get better (which is apparently a very difficult to solve problem).
So, for one of the ultimate solutions, inline inspection looking for brand new attacks, we may have to wait awhile. I am sure dozens of vendors will write me to say we already have that today, but I have yet to meet the 100% accurate solution that works fast enough, across all possible connection channels, that does not negatively interfere with business operations. But there are a lot of very good inline, inspection systems available today. Start using one.
Start patching your systems very quickly. Waiting two weeks just is not a “best practice” anymore. If an exploit is on the CISA Known Exploited Vulnerability Catalog list, test the patch and get it applied right away! If you are waiting more than two weeks today to apply patches, you need to update your policies. You are already behind the curve. And start working towards a model where you can apply patches the same day (or near the same day) as the patches come out.
And aggressively coach your co-workers into how to spot any sort of social engineering and phishing. Make it become an accepted culture within your environment (and sphere of influence). Let everyone know that same-day social engineering threats are starting to become the norm. Attackers are moving faster than the businesses they fraudulently emulate.
The future is speed. From attackers. From defenders.